806 Commits

Author SHA1 Message Date
Marcus Da Coregio
50f8df6f07 Use HttpStatusCode
Closes gh-11091
2022-04-11 09:19:56 -03:00
Marcus Da Coregio
e1f649690b Adapt to changes in R2DBC 2022-04-11 09:19:47 -03:00
Steve Riesenberg
8aa7029d07 Fix checkstyle errors
Issue gh-10989
2022-03-18 22:53:29 -05:00
Steve Riesenberg
e81990c44e
Update io.r2dbc to 0.9.1.RELEASE
Closes gh-10988
2022-03-18 18:11:49 -05:00
Steve Riesenberg
428216b322 Add support for customizing claims in JWT Client Assertion
Closes gh-9855
2022-03-17 09:50:25 -05:00
Joe Grandja
50a3bcf728 Remove unused code 2022-03-17 05:08:39 -04:00
Jánoky László Viktor
a88b8bf980 ClientAuthenticationMethod equals and hashCode is consistent
Closes gh-10559
2022-03-17 05:05:47 -04:00
Joe Grandja
54b033078b Allow configuring PKCE for confidential clients
Closes gh-6548
2022-03-16 13:36:10 -04:00
Simone Giannino
92a385ed05
OAuth 2.0 logout handler resolves uri placeholders
- OidcClientInitiatedLogoutSuccessHandler can automatically resolve placeholders like baseUrl and registrationId inside the postLogoutRedirectUri

Closes gh-7900
2022-03-15 14:05:26 -06:00
Rob Winch
9b380582dc BearerTokenAuthenticationFilter.securityContextRepository
Issue gh-10953
2022-03-09 15:47:34 -06:00
Josh Cummings
68e2586f06 Move UnmodifiableMapDeserializer
Issue gh-10905
2022-03-01 14:17:17 -07:00
Marcus Da Coregio
d99c08edce Fix failing test in NimbusReactiveJwtDecoderTests 2022-01-17 11:22:05 -03:00
Marcus Da Coregio
e2d1bb6998 Update io.r2dbc to 0.9.0.RELEASE
Closes gh-10745
2022-01-17 10:50:47 -03:00
Joe Grandja
525f40490c Allow Jwt assertion to be resolved
Closes gh-9812
2022-01-10 10:59:14 -05:00
Jonas Erbe
82426e20e1 Fix JwtClaimValidator wrong error code
Previously JwtClaimValidator returned the invalid_request error on claim validation failure.
But validators have to return invalid_token errors on failure according to:
https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.
Also see gh-10337

Closes gh-10337
2021-11-29 12:02:02 -07:00
Marcus Da Coregio
25feedb870 Fix removal of framework deprecated code
Issue https://github.com/spring-projects/spring-framework/issues/27686
2021-11-19 13:06:13 -03:00
Dávid Kováč
862122a267 Update clockSkew javadoc according to implementation
Closes gh-10174
2021-11-19 08:13:12 +01:00
Khaled Hamlaoui
498636e26b Allow custom OAuth2ErrorHttpMessageConverter with OAuth2ErrorResponseErrorHandler
Closes gh-10425
2021-11-16 14:52:08 -06:00
Josh Cummings
2a6e00ceb0 Don't Cache ReactiveJwtDecoders Errors
Closes gh-10444
2021-11-10 17:33:03 -07:00
Steve Riesenberg
ea352e1c59 Add missing @since 5.6 2021-11-09 14:02:35 -06:00
Marcus Da Coregio
db60df2f9c Update to Spring Framework 6.0
Issue gh-10360
2021-11-01 09:02:42 -03:00
Marcus Da Coregio
010f719344 Upgrade to JDK 17
Closes gh-10343
2021-11-01 09:02:42 -03:00
Marcus Da Coregio
560962649e Remove BlockHound dependency
The dependency is not needed anymore and there is a issue when using OpenJDK 13 or higher https://github.com/reactor/BlockHound/issues/33

Issue gh-10343
2021-11-01 09:02:42 -03:00
Rob Winch
f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Rob Winch
0c088e278a Update r2dbc-spi-test to 0.8.6.RELEASE
Closes gh-10393
2021-10-18 21:03:12 -05:00
Dávid Kováč
64e9ac995a getClaimAsBoolean() should not be falsy
Closes gh-10148
2021-10-14 11:28:09 -05:00
Philipp Neuschwander
6db58cbf8a Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
2021-10-13 17:10:50 -05:00
Dávid Kováč
0299808b05 Add ClaimAccessor tests
Add tests for ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList

Issue gh-10117
2021-10-13 12:53:40 -06:00
Dávid Kováč
125d33e3cf Update JavaDoc according to implementation
Update ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList
JavaDoc according to the current implementation

Closes gh-10117
2021-10-13 12:53:40 -06:00
Joe Grandja
e3abaf7999 Add OAuth2ErrorCodes.INVALID_REDIRECT_URI
Closes gh-10370
2021-10-13 14:12:44 -04:00
Steve Riesenberg
3b564b2026 Add parameters converter support to AbstractWebClientReactiveOAuth2AccessTokenResponseClient
This adds support for configuring NimbusJwtClientAuthenticationParametersConverter to any AbstractWebClientReactiveOAuth2AccessTokenResponseClient as an additional parameters converter, which in turns adds reactive support for jwt client authentication.

Closes gh-10146
2021-10-06 13:09:33 -05:00
Steve Riesenberg
9b24f66f1c Implement reactive support for JWT as an Authorization Grant
Closes gh-10147
2021-10-05 16:09:24 -05:00
Marcus Da Coregio
02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio
d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
Josh Cummings
0f8fa36b93 Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 13:24:51 -06:00
Darren Forsythe
5556b821e3 Check for multiple access tokens per rfc 6750
Check for multiple access tokens on the ServerHttpRequest rather than get get first. If multiples are found throw a OAuth2AuthenticationException.

Closes gh-5708
2021-09-28 08:07:06 -06:00
Joe Grandja
97c949d929 oauth2Login() AuthenticationProvider's preserve root cause exception when rethrown
Closes gh-10228
2021-09-24 10:41:31 -04:00
Joe Grandja
5830fda2fa Introduce JwtEncoder
Closes gh-9208
2021-09-24 05:13:40 -04:00
bishoy basily
860690491a Add setBodyExtractor
Closes gh-10260
2021-09-22 15:32:19 -06:00
Josh Cummings
7b599d4770 Share JWKSource Instances
Closes gh-10312
2021-09-22 13:28:08 -06:00
Josh Cummings
4e7c9bee46 Add Supplier JwtDecoders
Closes gh-9991
2021-09-22 10:58:55 -06:00
Rob Winch
62db842865 Update com.nimbusds to 9.15
Closes gh-10287
2021-09-17 16:40:58 -05:00
Ashley Scopes
171522ebf2 Replace usages of deprecated OAuth2IntrospectionClaimNames
Replace all usages of OAuth2IntrospectionClaimNames with
the suggested OAuth2TokenIntrospectionClaimNames.

There does not appear to be any further usages of OAuth2IntrospectionClaimNames,
so it should be suitable for removal when appropriate in accordance with the
deprecation policy.
2021-09-15 15:05:08 -06:00
Ashley Scopes
7ccc915b2b Ensuring consistency in error handling of opaque providers/managers
The OpaqueTokenAuthenticationProvider now propagates the cause of
introspection exceptions in the same way that the reactive
OpaqueTokenReactiveAuthenticationManager does.

Fixed a final field warning on both OpaqueTokenAuthenticationProvider
and OpaqueTokenReactiveAuthenticationManager.
2021-09-15 15:05:08 -06:00
Ashley Scopes
e9d5bbba34 Fixed final field warnings in opaque token introspectors 2021-09-15 15:05:08 -06:00
Ashley Scopes
95c2403968 Fixed potential NullPointerException in opaque token introspection
It appears Nimbus does not check the presence of the Content-Type
header before parsing it in some versions, and since prior to this
commit, the code is .toString()-ing the result, a malformed response
(such as that from a misbehaving cloud gateway) that does not include
a Content-Type would currently throw a NullPointerException.

In addition to this, I have added a little more information to the
log output for this module on the standard and reactive implementations
to aid in debugging authorization/authentication issues much more
easily.
2021-09-15 15:05:08 -06:00
Ashley Scopes
dd43d9198b Amended treatment of OAuth2 'iss' claim
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
2021-09-15 15:05:08 -06:00
Ayush Kohli
f1691370d6 Closes gh-10222 2021-09-03 10:58:01 -06:00
/usr/local/ΕΨΗΕΛΩΝ
4302a86fad
Default principalClaimName to SUB
Closes gh-10214
2021-08-20 15:02:22 -06:00
Rujun Chen
9b4ddd7e0a Make AuthorizationGrantTypeConverter support custom grant type
Closes gh-10155
2021-08-19 13:13:20 -04:00